From a3b6b2d3055070da9bf7054fecfd0b171c398eb7 Mon Sep 17 00:00:00 2001 From: Jonas Ådahl Date: Sun, 28 Oct 2012 00:50:12 +0200 Subject: wayland: Destroy frame callback when destroying surface MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a frame callback is not destroyed when destroying a surface, its handler function will be invoked if the surface was destroyed after the callback was requested but before it was invoked, causing a write on free:ed memory. This can happen if eglDestroySurface() is called shortly after eglSwapBuffers(). Note: This is a candidate for stable branches. Reviewed-by: Kristian Høgsberg --- src/gallium/state_trackers/egl/wayland/native_wayland.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/gallium/state_trackers/egl') diff --git a/src/gallium/state_trackers/egl/wayland/native_wayland.c b/src/gallium/state_trackers/egl/wayland/native_wayland.c index 62c87f3b943..560e40d4cee 100644 --- a/src/gallium/state_trackers/egl/wayland/native_wayland.c +++ b/src/gallium/state_trackers/egl/wayland/native_wayland.c @@ -355,6 +355,9 @@ wayland_surface_destroy(struct native_surface *nsurf) wl_buffer_destroy(surface->buffer[buffer]); } + if (surface->frame_callback) + wl_callback_destroy(surface->frame_callback); + resource_surface_destroy(surface->rsurf); FREE(surface); } -- cgit v1.2.3